Regular expressions and bypass cases

Check the number ：

1. Numbers ：^[0-9]*$

2. n Digit number ：^\d{n}$

3. At least n Digit number ：^\d{n,}$

4. m-n Digit number ：^\d{m,n}$

5. Zero and non-zero digits ：^(0|[1-9][0-9]*)$

6. A number with a maximum of two decimal places beginning with a nonzero ：^([1-9][0-9]*)+(.[0-9]{1,2})?$

7. belt 1-2 Positive or negative number of decimal places ：^(\-)?\d+(\.\d{1,2})?$

8. Positive numbers 、 negative 、 And decimal fraction ：^(\-|\+)?\d+(\.\d+)?$

9. A positive real number with two decimal places ：^[0-9]+(.[0-9]{2})?$

10. Yes 1~3 Positive real number of decimal places ：^[0-9]+(.[0-9]{1,3})?$

11. Nonzero positive integer ：^[1-9]\d*$ or ^([1-9][0-9]*){1,3}$ or ^\+?[1-9][0-9]*$

12. Nonzero negative integer ：^\-[1-9][]0-9"*$ or ^-[1-9]\d*$

13. Non-negative integer ：^\d+$ or ^[1-9]\d*|0$

14. Non positive integer ：^-[1-9]\d*|0$ or ^((-\d+)|(0+))$

15. Nonnegative floating point number ：^\d+(\.\d+)?$ or ^[1-9]\d*\.\d*|0\.\d*[1-9]\d*|0?\.0+|0$

16. Non positive floating point number ：^((-\d+(\.\d+)?)|(0+(\.0+)?))$ or ^(-([1-9]\d*\.\d*|0\.\d*[1-9]\d*))|0?\.0+|0$

17. Positive floating point ：^[1-9]\d*\.\d*|0\.\d*[1-9]\d*$ or ^(([0-9]+\.[0-9]*[1-9][0-9]*)|([0-9]*[1-9][0-9]*\.[0-9]+)|([0-9]*[1-9][0-9]*))$

18. Negative floating point number ：^-([1-9]\d*\.\d*|0\.\d*[1-9]\d*)$ or ^(-(([0-9]+\.[0-9]*[1-9][0-9]*)|([0-9]*[1-9][0-9]*\.[0-9]+)|([0-9]*[1-9][0-9]*)))$

19. Floating point numbers ：^(-?\d+)(\.\d+)?$ or ^-?([1-9]\d*\.\d*|0\.\d*[1-9]\d*|0?\.0+|0)$

Check character ：

1. Chinese characters ：^[\u4e00-\u9fa5]{0,}$

2. English and numbers ：^[A-Za-z0-9]+$ or ^[A-Za-z0-9]{4,40}$

3. The length is 3-20 All characters of ：^.{3,20}$

4. from 26 Composed of English letters character string ：^[A-Za-z]+$

5. from 26 A string of uppercase letters ：^[A-Z]+$

6. from 26 A string of lowercase letters ：^[a-z]+$

7. By numbers and 26 A string of English letters ：^[A-Za-z0-9]+$

8. By digital 、26 A string of English letters or underscores ：^\w+$ or ^\w{3,20}$

Bypass the case ：

     User input
         Encounter lightweight detection
             adopt javascript Detection bypass
             adopt MIME Type detection bypasses
             Encountered file content detection
  Bypass by code injection
  Path encountered 、 Extension detection
  Detection bypass
Encounter blacklist detection
File case bypass
  The list bypasses
Special file names bypass （windows）
0x00 Bypass
Encountered whitelist detection
0x00 Cut and bypass
Code layer upload vulnerability
  Direct analytical
  Detection did not bypass
  Parsing attacks
    Code layer parsing call
 .htaccess File parsing
  The local file contains parsing
  Summary
Code layer upload vulnerability
Indirect analysis
  Application layer resolution call
Apache Parsing vulnerabilities
 IIS Parsing vulnerabilities
 Nginx Parsing vulnerabilities
Summary
  Code layer upload vulnerability
  Indirect analysis
 

test ：

Client detection bypasses (javascript testing )
First of all, we observed that only image files can be uploaded , So the front-end view code , When the page changes , Will call this checkFileExt Function to check whether the image is uploaded , We just need to put... On the front end checkFileExt Function delete , You can upload a non image file .
You can also use burpsuit, But pay attention to change the Trojan horse into picture format first , To grab bags , Change again